HIPAA Instructions For All IRB Applications
The Health Insurance Portability and Accountability Act (HIPAA) is designed by the federal government to protect the
use and disclosure of Protected Health Information or PHI. PHI is defined as any of the 18 identifiers listed below* in
combination with health information transmitted or maintained in any form (electronic, paper, or oral) that relates to
the past, present or future physical or mental health or conditions of an individual.
You may need IRB approval to create, access, store, use or disclose PHI if you are employed outside the Covered
Entity (CE) and obtaining PHI from a UK CE department or you are employed by a UK CE department and collecting
PHI from subjects. A CE is defined as any department (or institution in some cases) that provides services that meets
the definition of health care provider, health plan or health care clearinghouse. The following website lists departments
in the CE: http://www.mc.uky.edu/compliance/hipaa/Training.htm
Note: If you are obtaining PHI from another institution, you must use its HIPAA forms and comply with its
HIPAA requirements. Only complete this form if you are obtaining PHI from the University of Kentucky or
in the CE.
This application will determine: 1) If your research falls under HIPAA; 2) Which HIPAA form (if any) should
be completed; 3) Where to request/submit the HIPAA documents.
1. My research protocol involves creating, accessing, using. storing or disclosing PHI.
Yes Go to question two (2).
No STOP. Your research does not fall under HIPAA but you must follow federal/state privacy
laws and IRB requirements when dealing with patient/subject information.
2. My department is listed as a University of Kentucky Covered Entity.
Yes Go to page two (2) and complete the HIPAA Application Form. You must comply with all
of UK’s regulations for creating, accessing, storing and disclosing PHI.
No If you are accessing PHI from UK Medical Records or any other source of PHI within the
CE, complete the HIPAA Application Form. You must comply with the UK’s HIPAA
requirements for accessing PHI. Once PHI is removed from the CE, you must follow
federal/state privacy laws and IRB requirements. If you are accessing PHI from another
source, call ORI at 257-9084 to determine if HIPAA applies to your study.
If you have HIPAA Research questions, contact: Joe Brown, Research Privacy Specialist, at (859) 257-9084 or
email@example.com or Helene Lake-Bullock, Research Compliance Officer, at (859) 257-5943 or
For questions regarding HIPAA Patient Rights, Data Use Agreement or Accounting of Disclosure, contact: Brett
Short, Privacy Officer, at (859) 323-9817 or firstname.lastname@example.org.
For questions regarding HIPAA agreements such as Data Use Agreements or Business Associate Agreements, contact:
Harry Dadds, Associate General Counsel, at (859) 323-1161.
*HIPAA recognized identifiers:
Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes; All
elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death;
Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers;
Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial
numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; Any other unique identifying number, characteristic, or code.
HIPAA Application Form
De-identified Information: De-identified Information is health information that cannot be linked to an
individual. HIPAA lists 18 specific identifiers that must be removed to qualify as de-identified data. The
following identifiers can be recorded: initial three digits of the zip code if population is greater than 20K, age
if less than 90, gender and ethnicity.
If you are de-identifying protected health information (PHI) for your study and your department is in the
Covered Entity, complete the de-identification certification form and take it to Medical Records to obtain
PHI. Make a copy of the de-identification form and submit it with your IRB application.
If you are de-identifying PHI for your study and your department is NOT in the Covered Entity, complete
the de-identification certification form and submit a Business Associate Agreement (BAA) to Medical
Records to obtain PHI. Make a copy of the de-identification form and submit it with your IRB application.
BAAs are available at the following website: http://www.mc.uky.edu/compliance/HIPAA/HIPAAForms.htm
Patient Authorization: A patient authorization is a document signed by the subject that gives the researcher
permission to use/disclose PHI collected during the research study for defined purposes.
An authorization should be signed by subjects when informed consent is obtained or when subjects are re-
consented. Submit an authorization form with your IRB application. Take the IRB approved authorization
form signed by the subject to Medical Records to obtain PHI. The IRB does not stamp “IRB Approval” on
HIPAA authorization forms since federal regulations do not require an approval stamp on these forms.
Waiver of Authorization: A waiver is a request to forgo the authorization requirement based on the fact that
the disclosure of PHI is a minimal risk to the subject and the research can not practically be done without
access to/use of PHI. Please complete the waiver of authorization form and submit with your IRB application.
The IRB will issue you a waiver of authorization approval letter. Take this letter to Medical Records to obtain
For clinical trials only: If you plan to review PHI to identify subjects for recruitment purposes and your
sponsor requires you to give them a screening log with PHI (and you have not obtained informed consent or
authorization), submit a waiver of authorization form with your application. Note: The waiver of
authorization will only be for recruitment purposes.
Limited Data Set: A limited data set is a subset of identifiers that contain the following elements: city, state,
zip code, date of birth, death or date of service.
If your department is listed in the Covered Entity, a Data Use Agreement must be completed and
submitted to Medical Records to obtain PHI. Data Use Agreement is available at the following website:
If your department is NOT listed in the Covered Entity, a Data Use Agreement and a BAA must be
completed and submitted to Medical Records to obtain PHI. Data Use Agreement and BAA are available at
the following website: http://www.mc.uky.edu/compliance/HIPAA/HIPAAForms.htm
Preparatory Work for Research: Preparatory work is PHI reviewed for the purpose of designing a research
study or identifying potential subjects. Please go to Medical Records and complete their HIPAA Research
Form to obtain PHI.
Decedent Research: Decedent research is research where PHI is collected from a subject(s) that is deceased
prior to the initiation of the study